iCloud hackers said to have used police’s own tool

JC Torres - Sep 3, 2014, 4:20am CDT
iCloud hackers said to have used police’s own tool

This Internet circus doesn’t seem to have an end in sight just yet. Now a new player, or rather scapegoat, has entered the arena. Hackers who leaked compromising photos of Hollywood actresses are now believed to have used Elcomsoft Phone Password Breaker or EPPB, a forensics software designed exactly for extracting user data from Apple‘s cloud service and, ironically, supposedly used by government and law enforcement agencies.

This revelation came via Anon-IB, an Internet forum dedicated to posting stolen nude photos. According to the information gathered from various posts, the hackers allegedly used a combination of EPPB and iBrute, a program released by security researcher Alexey Troshichev to pinpoint the security flaws in Apple’s Find My iPhone feature. With iBrute, a hacker would be able to eventually get a user’s login credentials. With EPPB, they will then be able to download everything that the user has, not just stored on iCloud, but also on their iOS devices. In essence, the tool masquerades as a device or user who is trying to restore an iPhone’s content.

Elcomsoft, a Moscow-based company, is just one of many forensics outfits that develops such kind of software, primarily for legal purposes. However, it also seems to be the most loved by those with less than innocent goals in mind. The company’s website makes no qualms about the capabilities of its software. Unfortunately, it also has no checks in place to ensure that the software doesn’t fall into the wrong hands. EPPB may have a steep $399 price tag, but that of course won’t stop it from being distributed illegally.

For its part, Apple, who claims it has been outraged by the incident, says that there is no case of mass security breach that others seem to suggest. Instead, it claims their 40 hours of investigation lead them to conclude that it was a very targeted attack at celebrity accounts, not exactly uncommon over the Internet. That said, it has updated the Find My iPhone feature to address those security holes exploited by iBrute, rendering at least this part of the question useless.

While the incident of these nude photos are quite deplorable, the issues that are now surfacing around it are perhaps even more worrisome. That the Internet is home to diverse, and sometimes questionable, interests isn’t news. But the realization that there are indeed places where such activities thrive or are even promoted, much less offer services, is always disturbing. That “security” companies who create these tools would not place safeguards to ensure that only the right people have access to it is also puzzling. And then there are the corporations who would no sooner wash their hands than admit to complacency. Of course, users also have a part to play in safeguarding our own content, be it on our phones or in the cloud. But sometimes it feels almost futile when all these bigger forces seem to be working against you.

VIA: Wired

Must Read Bits & Bytes